L2l VPN with nat
Hi all
I'm quite inexperienced in this subject and would appreciate advice on this
I need to create a VPN tunnel between our site and a remote site.
On our site, we are a network 192.168.0.X our external ip address is 12.53.150.100
We need to connect to the site is 69.144.38.48
We need to move from host to host meaning 192.168.0.97--> 69.144.38.50 and they want our ip to translate to 10.9.250.1
Thanks in advance
Jason
Are you familiar with the establishment of a regular L2L tunnel? In addition to this, you just create a nat policy:
access-list extended 100 permit ip host 192.168.0.97 69.144.38.50
public static 10.9.250.1 (inside, outside) - access list 100
When you define your ACL crypto, you specify 10.9.250.1 as the source instead of 192.168.0.97.
Let me know if you need help most.
Tags: Cisco Security
Similar Questions
-
Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)
I need "inbound nat' Site-C network.
Let me explain better:
-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.
-Now, I've logged on the Site-A site-C, and this must also communicate with site-B
-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.
Possible?
And how to configure the ASA at the Site-A?
Thank you
Claudio
Hello
What is the level of software on the Site to ASA?
-Jouni
-
L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR
I configured a VPN L2L on a Cisco 1841 ISR. I'm statically from some of my internal hosts to IPS that are included in encrypted traffic. Please note that not all internal hosts are underway using a NAT. I am doing this for hidden some of the actual IP addresses on the inside network. I confirmed that the VPN works as well as natives of VPN traffic. I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841. I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration. All comments are welcome.
VPN-RTR-01 #show run
Building configuration...Current configuration: 9316 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname VPN-RTR-01
!
boot-start-marker
boot-end-marker
!
! type map necessary for vwic/slot-slot 0/0 control
logging buffered 51200 warnings
no console logging
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
Crypto pki trustpoint TP-self-signed-2010810276
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2010810276
revocation checking no
rsakeypair TP-self-signed-2010810276
!
!
TP-self-signed-2010810276 crypto pki certificate chain
certificate self-signed 01
30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
DD29E815 E9F90877 4 D 68
quit smoking
username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
!
!
!
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
lifetime 28800
xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
!
card crypto SITES REMOTE VPN-ipsec-isakmp 1
defined by peer 172.21.0.1
game of transformation-ESP-AES256-SHA
match address VPN-REMOTE-SITE
!
!
!
interface FastEthernet0/0
no ip address
automatic speed
full-duplex
No mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
Description $FW_INSIDE$
encapsulation dot1Q 61
IP 10.1.0.34 255.255.255.224
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0.3
Description $FW_OUTSIDE$
encapsulation dot1Q 111
IP 172.20.32.17 255.255.255.224
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
crypto VPN-REMOTE-SITE map
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 172.20.32.1
IP route 10.16.0.0 255.255.0.0 10.1.0.33
IP route 10.19.0.0 255.255.0.0 10.1.0.33
IP route 10.191.0.0 255.255.0.0 10.1.0.33
IP route 10.192.0.0 255.255.0.0 10.1.0.33
IP route 192.168.20.48 255.255.255.240 10.1.0.33
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
!
VPN-REMOTE-SITE extended IP access list
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
inside_nat_static_1 extended IP access list
permit ip host 10.192.1.1 10.174.52.39
permit ip host 10.192.1.1 10.174.52.40
refuse an entire ip
inside_nat_static_2 extended IP access list
permit ip host 10.192.1.2 10.174.52.39
permit ip host 10.192.1.2 10.174.52.40
refuse an entire ip
inside_nat_static_3 extended IP access list
permit ip host 10.192.1.3 10.174.52.39
permit ip host 10.192.1.3 10.174.52.40
refuse an entire ip
inside_nat_static_4 extended IP access list
permit ip host 10.192.1.4 10.174.52.39
permit ip host 10.192.1.4 10.174.52.40
refuse an entire ip
inside_nat_static_5 extended IP access list
permit ip host 10.192.1.5 10.174.52.39
permit ip host 10.192.1.5 10.174.52.40
refuse an entire ip
inside_nat_static_6 extended IP access list
permit ip host 10.16.1.6 10.174.52.39
permit ip host 10.16.1.6 10.174.52.40
refuse an entire ip
inside_nat_static_7 extended IP access list
permit ip host 10.191.0.11 10.174.52.39
permit ip host 10.191.0.11 10.174.52.40
refuse an entire ip
inside_nat_static_8 extended IP access list
permit ip host 10.191.0.12 10.174.52.39
permit ip host 10.191.0.12 10.174.52.40
refuse an entire ip
!
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 172.20.32.0 0.0.0.31 all
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit udp any host 192.168.20.62
access-list 101 permit tcp any host 192.168.20.62
access-list 101 permit udp any host 192.168.20.61
access-list 101 permit tcp any host 192.168.20.61
access-list 101 permit udp any host 192.168.20.59
access-list 101 permit tcp any host 192.168.20.59
access-list 101 permit udp any host 192.168.20.58
access-list 101 permit tcp any host 192.168.20.58
access-list 101 permit udp any host 192.168.20.57
access-list 101 permit tcp any host 192.168.20.57
access-list 101 permit udp any host 192.168.20.56
access-list 101 permit tcp any host 192.168.20.56
access-list 101 permit udp any host 192.168.20.55
access-list 101 permit tcp any host 192.168.20.55
access-list 101 permit udp any host 192.168.20.54
access-list 101 permit tcp any host 192.168.20.54
access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
access-list 101 permit esp 172.21.0.1 host 172.20.32.17
access-list 101 permit ahp host 172.21.0.1 172.20.32.17
access-list 101 permit icmp any host 172.20.32.17 - response
access-list 101 permit icmp any host 172.20.32.17 time limit
access-list 101 permit icmp any unreachable host 172.20.32.17
access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
access-list 101 permit tcp any host 172.20.32.17 eq 443
access-list 101 permit tcp any host 172.20.32.17 eq 22
access-list 101 permit tcp any host 172.20.32.17 eq cmd
access-list 101 deny ip 10.1.0.32 0.0.0.31 all
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
access-list 102 permit ip 10.1.0.32 0.0.0.31 all
!
allowed NO_NAT 1 route map
corresponds to the IP 102
!
STATIC_NAT_8 allowed 10 route map
inside_nat_static_8 match ip address
!
STATIC_NAT_5 allowed 10 route map
inside_nat_static_5 match ip address
!
STATIC_NAT_4 allowed 10 route map
inside_nat_static_4 match ip address
!
STATIC_NAT_7 allowed 10 route map
inside_nat_static_7 match ip address
!
STATIC_NAT_6 allowed 10 route map
inside_nat_static_6 match ip address
!
STATIC_NAT_1 allowed 10 route map
inside_nat_static_1 match ip address
!
STATIC_NAT_3 allowed 10 route map
inside_nat_static_3 match ip address
!
STATIC_NAT_2 allowed 10 route map
inside_nat_static_2 match ip address
!
!
!
control plan
!
!
!
Line con 0
exec-timeout 30 0
line to 0
line vty 0 4
privilege level 15
local connection
transport input telnet ssh
line vty 5 15
privilege level 15
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
endVPN-RTR-01 #.
Hello
Configuration looks ok to me.
yet you can cross-reference with the following link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
-
Hello
I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto card and the VPN is successfully registered.
The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.
If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.
What should I do differently?
Here is the config:
Feature: 2911 with security package
Local network: 10.10.104.0/24
Remote network: 192.168.1.0/24
Public beach: 65.49.46.68/28
crypto ISAKMP policy 104
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key REDACTED address 75.76.102.50
Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha
OFFICE 104 ipsec-isakmp crypto map
defined by peer 75.76.102.50
Set transform-set strongsha
match address 104
interface GigabitEthernet0/0
IP 65.49.46.68 255.255.255.240
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
full duplex
Speed 100
standby mode 0 ip 65.49.46.70
0 6 2 sleep timers
standby 0 preempt
card crypto OFFICE WAN redundancy
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
IP 10.10.104.254 255.255.255.0
IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28
overload of IP nat inside source list 99 pool wan_access
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
ISAKMP crypto #sh her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Hello!
Please, make these changes:
extended Internet-NAT IP access list
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 10.10.104.0 allow 0.0.0.255 any
IP nat inside source list Internet-NAT pool access-wan overload
* Please do not remove the old NAT instance until you add that above.
Please hold me.
Thank you!
Sent by Cisco Support technique Android app
-
Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.
http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
Thank you.
Mike
It's not very complicated, just keep in mind that NAT is done before the encryption.
So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:
public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0
You can use the address translated into your crypto-ACL:
REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0
I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.
Sent by Cisco Support technique iPad App
-
LAN to LAN VPN with NAT - solved!
Hello world
I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.
Here is the configuration
object-group network NET Tunnel
network-host xxx.220.129.134 objectAccess tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel
correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL
the Tunnel-iServer-NAT object network
Home yyy.30.49.14
network of the Tunnel and drop-in iServer object
Home 172.18.30.225network of the Tunnel and drop-in iServer object
NAT (internal, DMZ) static Tunnel-iServer-NATI hope that it is enough for someone to help me.
Thank you
M
Version 8.3.1 ASA
Post edited by: network operations
The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.
-
L2l vpn with Firewall Palo Alto
I'm setting up a tunnel of l2l with a firewall of palo alto and evil. It is a fairly simple installation, we are traffic encryption public to the public for download of the side sftp asa. Here are the parts relevant to the config and various outputs... Remote admin side asserts that the phase 1 pass and we have a timeout of waiting for phase 2. Any help would be appreciated.
1.1.1.1 (customer2 destination address)
1.1.1.2 (customer2 vpn gateway)
2.2.2.0 (space local public ip)description of CustomerVPN2 name 1.1.1.1 customer VPN2
Inside_nat0_outbound to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2
Outside_4_cryptomap to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2card crypto Outside_map 4 corresponds to the address Outside_4_cryptomap
crypto map Outside_map 4 set type of connection are created only
card crypto Outside_map 4 set peer 1.1.1.2
card crypto Outside_map 4 the value transform-set ESP-AES-256-SHAcrypto ISAKMP policy 50
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.SH crypto isakmp (reviews listed as type: user)
8 peer IKE: 1.1.1.2
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2Debug crypto ipsec (looks like he's trying all cryptographic cards except one)
IPSec (crypto_map_check): crypto Outside_map 1 hole card no match for ACL Outside_1_cryptomap.
IPSec (crypto_map_check): card crypto Outside_map 2 do not match for ACL Outside_2_cryptomap hole.
IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL Outside_3_cryptomap.
IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL OO_temp_Outside_map3.
and finally.
03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, removing counterpart peer table faile
d, no match!
03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, error: cannot delete PeerTblEntrHey Evo,
You asa public interface is the same as the public ip address that you are trying to encrypt?
I think you need to create a Nat policy that can be a private ip address as well and then use it as your side of interesting traffic, because the Admin in Palo Alto is right about the vpn route accordingly.
Here are some links for policy based Nat & paloalto side vpn screenshots and explanations.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml
http://netsecinfo.blogspot.com/2008/02/route-based-VPNs-explained.html
Manish
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
IOS VPN with NAT need help with ACL?
What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.
I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.
I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!
Thank you very much.
----------
Current configuration: 5508 bytes
!
! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
!
IP domain name mondomaine.fr
name of the IP-server 199.13.28.12
name of the IP-server 199.13.29.12
!
IP inspect the audit trail
IP inspect high 1100 max-incomplete
IP inspect a high minute 1100
inspect the tcp IP Ethernet_0_1 name
inspect the IP udp Ethernet_0_1 name
inspect the IP name Ethernet_0_1 cuseeme
inspect the IP name Ethernet_0_1 ftp
inspect the IP h323 Ethernet_0_1 name
inspect the IP rcmd Ethernet_0_1 name
inspect the IP name Ethernet_0_1 realaudio
inspect the IP name smtp Ethernet_0_1
inspect the name Ethernet_0_1 streamworks IP
inspect the name Ethernet_0_1 vdolive IP
inspect the IP name Ethernet_0_1 sqlnet
inspect the name Ethernet_0_1 tftp IP
inspect the IP name Ethernet_0_1 http java-list 99
inspect the name Ethernet_0_1 rtsp IP
inspect the IP name Ethernet_0_1 netshow
inspect the tcp IP Ethernet_0_0 name
inspect the IP name Ethernet_0_0 ftp
inspect the IP udp Ethernet_0_0 name
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
ISAKMP crypto nat keepalive 20
!
ISAKMP crypto client configuration group vpngroup
xxxxxxxxx key
DNS 199.13.28.12 199.13.29.12
domain mydomain.com
pool vpnpool
ACL 110
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
MTA receive maximum-recipients 0
!
!
interface Ethernet0/0
Description connected to the Internet
IP 199.201.44.198 255.255.255.248
IP access-group 101 in
NAT outside IP
inspect the IP Ethernet_0_0 in
no ip route cache
no ip mroute-cache
Half duplex
clientmap card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface Ethernet0/1
Connected to the private description
IP 192.168.1.254 255.255.255.0
IP access-group 100 to
IP nat inside
inspect the IP Ethernet_0_1 in
Half duplex
!
IP local pool vpnpool 192.168.2.201 192.168.2.210
period of translation nat IP 119
!!
!! -removed the following line for VPN configuration
!! IP nat inside source list 1 interface Ethernet0/0 overload
!! -replaced by the next line...
IP nat inside source map route sheep interface Ethernet0/0 overload
IP nat inside source 192.168.1.1 static 199.201.44.197
IP classless
IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent
IP http server
7 class IP http access
local IP http authentication
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.5.41.40
access-list 5 permit 192.5.41.41
access-list 5 refuse any
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 refuse any
access-list 99 refuse any
access-list 100 permit udp any eq rip all rip eq
access-list 100 permit tcp 192.168.1.1 host any eq www
access-list 100 permit ip 192.168.1.1 host everything
access list 100 permit tcp host 192.168.1.2 any eq www
access-list 100 permit ip 192.168.1.2 host everything
access-list 100 deny ip 192.168.1.253 host everything
access ip-list 100 permit a whole
access-list 101 deny host ip 199.201.44.197 all
access-list 101 permit tcp any host 199.201.44.197 eq 22
access-list 101 permit tcp any host 199.201.44.197 eq www
access-list 101 permit tcp any host 199.201.44.197 eq 115
access-list 101 permit icmp any host 199.201.44.197
access list 101 ip allow any host 199.201.44.198
access-list 101 permit tcp any host 199.201.44.197 eq 8000
access-list 101 permit tcp any host 199.201.44.197 eq 8080
access-list 101 permit tcp any host 199.201.44.197 eq 9090
access-list 101 permit udp any host 199.201.44.197 eq 7070
access-list 101 permit udp any host 199.201.44.197 eq 554
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 115
!
Line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
line to 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
!
NTP-period clock 17208655
source NTP Ethernet0/0
peer NTP access-Group 5
NTP 7 use only group-access
NTP master 3
NTP 192.5.41.41 Server
NTP 192.5.41.40 Server
!
end
----------
Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.
For what is 192.168.1.1, because you have this:
> ip nat inside source 192.168.1.1 static 199.201.44.197
It substitutes for this:
> ip nat inside source map route sheep interface Ethernet0/0 overload
for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:
loopback interface 0
IP 1.1.1.1 255.255.255.0
interface ethernet0/1
Static IP policy route map
permissible static route map 10
match address 120
set ip next-hop 1.1.1.2
access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255
-
L2l VPN with public ip of the router and firewall with private IP
Dear all,
I have a requiremnt for site to site VPN configuration but the firewall on the remote end is not obtained public ip, public ip address is termintaed on the router. Please find the attached diagram
LAN--> Firewall - privateip--> router-publicip - ISP
How can I set up the site to site VPN tunnel, enjoy emergency assistance
Thanks in advance...
Mikael
You can configure static NAT for 1:1 for the SAA outside interface with a spare public ip address of the router address.
If you don't have spare public ip address, then you must configure static UDP/500 and UDP/4500 PAT on the router and enable NAT - T on the SAA.
-
Remote host IP SLA ping by tunnel VPN with NAT
Hi all
I did some research here, but don't drop on similar issues. I'm sure that what I want is not possible, but I want to make sure.
I want to monitor a remote host on the other side a VPN. The local endpoint is my ASA.
The local INSIDE_LAN traffic is NATted to 10.19.124.1 before entering the VPN tunnel.
Interesting VPN traffic used ACL card crypto:
access-list 1 permit line ACL_TUNNELED_TO_REMOTE extended ip host 10.19.124.1 192.168.1.0 255.255.255.0
NAT rules:
Global (OUTSIDE) 2 10.19.124.1 mask 255.255.255.255 subnet
NAT (INSIDE_LAN) 2-list of access ACL_NAT_TO_REMOTE
NAT ACL
access-list 1 permit line ACL_NAT_TO_REMOTE extended ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0
This configuration works very well for traffic from hosts in 172.19.126.32 255.255.255.224 is 192.168.1.0 255.255.255.0.
However, I like to use "ip sla" on the SAA itself to monitor a remote host with icmp ping 192.168.1.0. This would imply NATting one IP on the ASA to 10.19.124.1, but I do not see how to do this. None of the interfaces on the SAA are logical, to use as a source for this interface.
Thanks for ideas and comments.
Concerning
You are absolutely right, that unfortunately you won't able to NAT interface ASA IP address. NAT works for traffic passing by the ASA, don't not came from the SAA itself.
-
I'm sure this question has been asked several times, but I want to assure you that I understand before proceeding.
I set up a site to site VPN IPSec between two ASAs.
I want to an internal host NAT which link to the counterpart of my VPN network. So I need to make sure that traffic from this host internal is NATted before entering the VPN tunnel as "interesting traffic.
So let's say that distance 192.168.20.0/24 network connects via the IPSec VPN tunnel with their peers, 65.200.1.1 and 198.14.7.10, to host the 10.100.1.7 on my network.
I want NAT host 10.100.1.7 to 192.168.100.5 to the remote network connects to the 192 address, not the 10
How can I do this?
(I use an ASA 5505)
Hello Colin,
That's right, it's one of the great things about the changes on the version 8.3 and prior. You can create a political rule of nat in a single line.
Please let me know if you understand this or if there is something else I can do for you.
Evaluate the useful ticket.
Have a good night,
Julio
-
concentrator 3000 2 lan lan VPN with NAT
I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.
Hello
Concentrator VPN supports the NAT.
HTH
Kind regards
GE.
-
Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505
Hi Experts,
We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?
Here's the warning we get then tried to configure the easy VPN Client.
NOCMEFW1 (config) # vpnclient enable
* Delete "nat (inside) 0 S2S - VPN"
* Detach crypto card attached to the outside interface
* Remove the tunnel groups defined by the user
* Remove the manual configuration of ISA policies
CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success
you
operation was detected and listed above. Please solve the
above a configuration and re - activate.
Thanks and greetings
ANUP sisi
"Dynamic crypto map must be installed on the server device.
Yes, dynamic crypto is configured on the EasyVPN server.
Thank you
Maybe you are looking for
-
Satellite L450D does not illuminate
Hi guys Just go here, I have a Toshiba Satellite L450D, who wouldn't start in fact nothing else than the green power on light, then I decided to strip down for a look after removing the keyboard & switch cord Ribbon & all the rest I just thought I wo
-
IOS iPad Mini Gen 1 7.1.2 upgrade to ios 8.3
I currently use the iPad 1 Gen with iOS 7.1.2 mini. Is it possible if I update to iOS 8.3, during the last generation iOS already issued? Thanks before.
-
Hey all - serious brain issue today. I have a core switch with a port set to VLAN 10 & 20 tag traffic. In this core switch port, I have a GS748T, where I'm the odd ports # be vlan 20 & ports even # to vlan 10. Objective:I have a DHCP server, which se
-
I'm unable to perform automatic updates of Windows on my Windows XP computer.
I can't activate the "automatic update" feature in the part automatic updates in the control panel. I've changed the status on 'on' and clicked on apply and OK several times but my office continues to display the red alert indicating my automatic upd
-
WCS: Is the name of the controller of tertiary sector mandatory?
Hello I have improved my WCS to 4.2. After that, whenever I want to configure an access point I get an error message "" name of the controller of tertiary: this attribute is MANDATORY. "." Please specify ". How can I disable the which? Thank you